.nh
.TH IAM(1) iam User Manuals
Eric Paris
Jan 2015

.SH NAME
.PP
iam-authz-server - IAM Authorization Server


.SH SYNOPSIS
.PP
\fBiam-authz-server\fP [OPTIONS]


.SH DESCRIPTION
.PP
Authorization server to run ladon policies which can protecting your resources.
It is written inspired by AWS IAM policiis.

.PP
Find more iam-authz-server information at:
    https://github.com/marmotedu/iam/blob/master/docs/guide/en-US/cmd/iam-authz-server.md,

.PP
Find more ladon information at:
    https://github.com/ory/ladon


.SH OPTIONS
.PP
\fB--alsologtostderr\fP=false
	log to standard error as well as files

.PP
\fB--analytics.enable\fP=true
	This sets the iam-authz-server to record analytics data.

.PP
\fB--analytics.enable-detailed-recording\fP=true
	Enable detailed analytics at the key level.

.PP
\fB--analytics.pool-size\fP=50
	Specify number of pool workers.

.PP
\fB--analytics.records-buffer-size\fP=1000
	Specifies buffer size for pool workers (size of each pipeline operation).

.PP
\fB--analytics.storage-expiration-time\fP=24h0m0s
	Set to a value larger than the Pump's purge_delay. This allows the analytics data to exist long enough in Redis to be processed by the Pump.

.PP
\fB--client-ca-file\fP=""
	If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.

.PP
\fB-c\fP, \fB--config\fP=""
	Read configuration from specified \fB\fCFILE\fR, support JSON, TOML, YAML, HCL, or Java properties formats.

.PP
\fB--feature.enable-metrics\fP=true
	Enables metrics on the apiserver at /metrics

.PP
\fB--feature.profiling\fP=true
	Enable profiling via web interface host:port/debug/pprof/

.PP
\fB--insecure.bind-address\fP="127.0.0.1"
	The IP address on which to serve the --insecure.bind-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).

.PP
\fB--insecure.bind-port\fP=8080
	The port on which to serve unsecured, unauthenticated access. It is assumed that firewall rules are set up such that this port is not reachable from outside of the deployed machine and that port 443 on the iam public address is proxied to this port. This is performed by nginx in the default setup. Set to zero to disable.

.PP
\fB--log-backtrace-at\fP=:0
	when logging hits line file:N, emit a stack trace

.PP
\fB--log-dir\fP=""
	If non-empty, write log files in this directory

.PP
\fB--log.development\fP=false
	Development puts the logger in development mode, which changes the behavior of DPanicLevel and takes stacktraces more liberally.

.PP
\fB--log.disable-caller\fP=false
	Disable output of caller information in the log.

.PP
\fB--log.disable-stacktrace\fP=false
	Disable the log to record a stack trace for all messages at or above panic level.

.PP
\fB--log.enable-color\fP=false
	Enable output ansi colors in plain format logs.

.PP
\fB--log.error-output-paths\fP=[stderr]
	Error output paths of log.

.PP
\fB--log.format\fP="console"
	Log output \fB\fCFORMAT\fR, support plain or json format.

.PP
\fB--log.level\fP="info"
	Minimum log output \fB\fCLEVEL\fR\&.

.PP
\fB--log.name\fP=""
	The name of the logger.

.PP
\fB--log.output-paths\fP=[stdout]
	Output paths of log.

.PP
\fB--logtostderr\fP=false
	log to standard error instead of files

.PP
\fB--redis.addrs\fP=[]
	A set of redis address(format: 127.0.0.1:6379).

.PP
\fB--redis.database\fP=0
	By default, the database is 0. Setting the database is not supported with redis cluster. As such, if you have --redis.enable-cluster=true, then this value should be omitted or explicitly set to 0.

.PP
\fB--redis.enable-cluster\fP=false
	If you are using Redis cluster, enable it here to enable the slots mode.

.PP
\fB--redis.host\fP="127.0.0.1"
	Hostname of your Redis server.

.PP
\fB--redis.master-name\fP=""
	The name of master redis instance.

.PP
\fB--redis.optimisation-max-active\fP=4000
	In order to not over commit connections to the Redis server, we may limit the total number of active connections to Redis. We recommend for production use to set this to around 4000.

.PP
\fB--redis.optimisation-max-idle\fP=2000
	This setting will configure how many connections are maintained in the pool when idle (no traffic). Set the --redis.optimisation-max-active to something large, we usually leave it at around 2000 for HA deployments.

.PP
\fB--redis.password\fP=""
	Optional auth password for Redis db.

.PP
\fB--redis.port\fP=6379
	The port the Redis server is listening on.

.PP
\fB--redis.ssl-insecure-skip-verify\fP=false
	Allows usage of self-signed certificates when connecting to an encrypted Redis database.

.PP
\fB--redis.timeout\fP=0
	Timeout (in seconds) when connecting to redis service.

.PP
\fB--redis.use-ssl\fP=false
	If set, IAM will assume the connection to Redis is encrypted. (use with Redis providers that support in-transit encryption).

.PP
\fB--redis.username\fP=""
	Username for access to redis service.

.PP
\fB--rpcserver\fP="127.0.0.1:8081"
	The address of iam rpc server. The rpc server can provide all the secrets and policies to use.

.PP
\fB--secure.bind-address\fP="0.0.0.0"
	The IP address on which to listen for the --secure.bind-port port. The associated interface(s) must be reachable by the rest of the engine, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).

.PP
\fB--secure.bind-port\fP=8443
	The port on which to serve HTTPS with authentication and authorization. It cannot be switched off with 0.

.PP
\fB--secure.tls.cert-dir\fP="/var/run/iam"
	The directory where the TLS certs are located. If --secure.tls.cert-key.cert-file and --secure.tls.cert-key.private-key-file are provided, this flag will be ignored.

.PP
\fB--secure.tls.cert-key.cert-file\fP=""
	File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert).

.PP
\fB--secure.tls.cert-key.private-key-file\fP=""
	File containing the default x509 private key matching --secure.tls.cert-key.cert-file.

.PP
\fB--secure.tls.pair-name\fP="iam"
	The name which will be used with --secure.tls.cert-dir to make a cert and key filenames. It becomes /\&.crt and /\&.key

.PP
\fB--server.healthz\fP=true
	Add self readiness check and install /healthz router.

.PP
\fB--server.middlewares\fP=[]
	List of allowed middlewares for server, comma separated. If this list is empty default middlewares will be used.

.PP
\fB--server.mode\fP="release"
	Start the server in a specified server mode. Supported server mode: debug, test, release.

.PP
\fB--stderrthreshold\fP=2
	logs at or above this threshold go to stderr

.PP
\fB-v\fP, \fB--v\fP=0
	log level for V logs

.PP
\fB--version\fP=false
	Print version information and quit.

.PP
\fB--vmodule\fP=
	comma-separated list of pattern=N settings for file-filtered logging


.SH HISTORY
.PP
January 2015, Originally compiled by Eric Paris (eparis at redhat dot com) based on the marmotedu source material, but hopefully they have been automatically generated since!
